CPU priority must be set appropriately on all containers.

An XCCDF Rule

Description

<VulnDiscussion>All containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as CPU shares, the user controls the host CPU resources that a container may consume. By default, CPU time is divided between containers equally. If CPU shares are not properly set, the container process may have to starve if the resources on the host are not available. If the CPU resources on the host are free, CPU shares do not place any restrictions on the CPU that the container may use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260925r966132_rule
Severity: Medium
References: CCI-000381 CCI-002530 CCI-002824
Updated: 19 days ago

Set Resource Quotas and CPU priority for each namespace.

When using Kubernetes orchestration:

1. Create a resource quota as follows (quotaexample.yaml):
apiVersion: v1
kind: ResourceQuota
metadata:
  name: mem-cpu-demo
spec:
  hard:
    requests.cpu: ""1""
    requests.memory: 1Gi
    limits.cpu: ""2""
    limits.memory: 2Gi
Where the limits can be set according to the SSP.

Save this file.

2. Apply the quota to a namespace within the cluster by executing:

kubectl apply -f [full path to quotaexample.yaml] --namespace=[name of namespace on cluster]

This must be repeated for all namespaces. Quotas can differ per namespace as required by the site.

When using Swarm orchestration:

1. Set Resource Quotas by executing the following:

docker exec -it [container name] --memory=""""2g""""

This must be repeated for all containers. Quotas can differ per container as required by the site.

2. Set CPU Priority:

When using Swarm orchestration to manage the CPU shares between containers, start the container using the --cpu-shares argument.

For example, run a container as below:

docker run --interactive --tty --cpu-shares 512 [image] [command]

In the above example, the container is started with CPU shares of 50 percent of what the other containers use. So, if the other container has CPU shares of 80 percent, this container will have CPU shares of 40 percent.

Note: Every new container will have 1024 shares of CPU by default. However, this value is shown as "0" if running the command mentioned in the audit section.

Alternatively:
1. Navigate to /sys/fs/cgroup/cpu/system.slice/ directory.

2. Check the container instance ID using docker ps.

3. Inside the above directory (in step 1), there will be a directory called docker-<Instance ID>.scope. For example, docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope. Navigate to this directory.

4. Find a file named cpu.shares. Execute cat cpu.shares. This will always show the CPU share value based on the system. Even if there are no CPU shares configured using -c or --cpu-shares argument in the docker run command, this file will have a value of 1024.

By setting one containers CPU shares to 512, it will receive half of the CPU time compared to the other container. Take 1024 as 100 percent and derive the number that set for respective CPU shares. For example, use 512 to set 50 percent and 256 to set 25 percent.

CPU priority must be set appropriately on all containers.

Description

Remediation - Manual Procedure